What is Msdtc.exe

File description

Msdtc.exe with description Distributed Transaction Coordinator is a process file from company Microsoft Corporation belonging to product Microsoft Distributed Transaction Coordinator.
The file is
digitally signed from Microsoft Windows Component Publisher - Microsoft Timestamping Service
We do not recommend removing digitally signed files from Microsoft Windows Component Publisher

What is msdtc.exe?
This is the Microsoft Distributed Transaction Coordinator. It is installed with many Microsoft products, including Microsoft SQL Server, IIS, the .NET Framework, and Visual Basic 6. Its purpose is to allow client applications to coordinate sources of data to be used in one transaction (e.g., performing a database update with data from multiple sources).

This process is not essential to the operation of the system but should not be disabled unless it is causing problems. By killing this process, you will lose the coordination functionality, which may cause problems with the applications that make use of it. Do not delete this executable, as it may render various pieces of software unusable, including Visual Studio, IIS, or the .NET Framework. The screenshot below illustrates how it should appear in the Task Manager:

Although in this screenshot msdtc.exe is running as the current user (in this case, Mike), it can conceivably run as any user. A process with this name running as a different user is not necessarily indicative of a malware infection.

Dangers of msdtc
As this is a legitimate executable that comes with many Microsoft products and is therefore installed on many systems, it is possible for virus writers and spyware vendors to disguise their malware as the genuine one.

Some malicious files may have the same name as this process but be stored somewhere other than in %SystemRoot%\System32. Other malware may use a name that appears similar to that of the legitimate one but with slight differences in spelling or with appended digits. The following malware is known to disguise itself as msdtc.exe:

W32/Stap (%ProgramFiles%)

This is a mass-mailing worm that is also able to spread via open network shares.

This is a Trojan horse that allows a remote attacker to take over an infected machine. It registers itself as a system driver service named MSDCT (the c and the t are transposed versus the name of the executable and DLL).

W32/Hupigo-SJ (%SystemRoot%\System32)

This is a Trojan horse that can communicate with a remote server via HTTP and can allow a remote attacker to take over an infected machine.

Troj/HaxDrop-A (%Temp%)

Troj/Bckdr-QKM (%SystemRoot%\System32)

There not should typically be more than one instance of msdtc.exe running at a given time on a system. The presence of multiple instances may be an indicator of a malware infection.

Common problems

This program tries to listen on port 2150

While this behavior is known to occur in the real process, you should ensure that your system is not infected with a virus.